deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into Kellylorenebaker-patch-8

Browse Source
This commit is contained in:
Kelly Baker
2020-02-21 20:28:57 -08:00
committed by GitHub
parent 82a77fbbff 788af85fee
commit 175d941dae
307 changed files with 3126 additions and 2316 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/client-management/TOC.md
View File

@ -32,5 +32,6 @@
#### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md)
#### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
#### [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
#### [Stop error occurs when you update the in-box Broadcom network adapter driver](troubleshoot-stop-error-on-broadcom-driver-update.md)
## [Mobile device management for solution providers](mdm/index.md)
## [Change history for Client management](change-history-for-client-management.md)

3
windows/client-management/advanced-troubleshooting-802-authentication.md
View File

@ -59,7 +59,7 @@ First, validate the type of EAP method being used:
![eap authentication type comparison](images/comparisontable.png)
If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu:
If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication Methods** section.
![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png)
@ -118,4 +118,3 @@ Even if audit policy appears to be fully enabled, it sometimes helps to disable
[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/library/cc766215%28v=ws.10%29.aspx)<br>
[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/library/cc749352%28v=ws.10%29.aspx)

10
windows/client-management/change-history-for-client-management.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
ms.date: 12/27/2019
ms.date: 1/21/2020
ms.reviewer:
manager: dansimp
ms.topic: article
@ -19,11 +19,19 @@ ms.topic: article
This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
## February 2020
New or changed topic | Description
--- | ---
[Blue screen occurs when you update the in-box Broadcom NIC driver](troubleshoot-stop-error-on-broadcom-driver-update.md) | New
[Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md) | Updated
## December 2019
New or changed topic | Description
--- | ---
[Change in default removal policy for external storage media in Windows 10, version 1809](change-default-removal-policy-external-storage-media.md) | New
[Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md) | Updated
[Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) | New
## December 2018

2
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -65,7 +65,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
## Supported configurations
In organizations that have integrated Active Directory and Azure AD, you can connect from a domain-joined PC to an Azure AD-joined PC using:
In organizations that have integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC using:
- Password
- Smartcards

217
windows/client-management/mdm/bitlocker-csp.md
View File

@ -31,12 +31,15 @@ The following diagram shows the BitLocker configuration service provider in tree
![BitLocker csp](images/provisioning-csp-bitlocker.png)
<a href="" id="--device-vendor-msft-bitlocker"></a>**./Device/Vendor/MSFT/BitLocker**
Defines the root node for the BitLocker configuration service provider.
<!--Policy-->
<a href="" id="requirestoragecardencryption"></a>**RequireStorageCardEncryption**
<!--Description-->
Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -57,12 +60,13 @@ Allows the administrator to require storage card encryption on the device. This
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.
<!--SupportedValues-->
- 0 (default) Storage cards do not need to be encrypted.
- 1 Require storage cards to be encrypted.
<!--/SupportedValues-->
Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.
If you want to disable this policy use the following SyncML:
@ -87,11 +91,13 @@ If you want to disable this policy use the following SyncML:
```
Data type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
<a href="" id="requiredeviceencryption"></a>**RequireDeviceEncryption**
<!--Description-->
Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -112,7 +118,7 @@ Allows the administrator to require encryption to be turned on by using BitLocke
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
Data type is integer. Sample value for this node to enable this policy: 1.
Supported operations are Add, Get, Replace, and Delete.
@ -126,12 +132,12 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix
- It must not be a system partition.
- It must not be backed by virtual storage.
- It must not have a reference in the BCD store.
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) — Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes.
- 1 Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).
<!--/SupportedValues-->
If you want to disable this policy, use the following SyncML:
```xml
@ -152,10 +158,13 @@ If you want to disable this policy, use the following SyncML:
</SyncBody>
</SyncML>
```
<!--/Policy-->
<!--Policy-->
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)&quot;.
<!--Description-->
Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)&quot;.
<!--/Description-->
<!--SupportedValues-->
<table>
<tr>
<th>Home</th>
@ -176,6 +185,8 @@ Allows you to set the default encryption method for each of the different drive
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedValues-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)</em></li>
@ -183,6 +194,7 @@ ADMX Info:
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -202,14 +214,14 @@ If you disable or do not configure this policy setting, BitLocker will use the d
EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives
EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
<!--SupportedValues-->
The possible values for &#39;xx&#39; are:
- 3 = AES-CBC 128
- 4 = AES-CBC 256
- 6 = XTS-AES 128
- 7 = XTS-AES 256
<!--/SupportedValues-->
> [!NOTE]
> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.
@ -231,9 +243,13 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
<a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Require additional authentication at startup&quot;.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -254,6 +270,8 @@ This setting is a direct mapping to the Bitlocker Group Policy &quot;Require add
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Require additional authentication at startup</em></li>
@ -261,6 +279,7 @@ ADMX Info:
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -297,7 +316,7 @@ Data id:
<li>ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.</li>
<li>ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.</li>
</ul>
<!--SupportedValues-->
The possible values for &#39;xx&#39; are:
<ul>
<li>true = Explicitly allow</li>
@ -310,7 +329,7 @@ The possible values for &#39;yy&#39; are:
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
<!--/SupportedValues-->
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
@ -328,9 +347,13 @@ Disabling the policy will let the system choose the default behaviors. If you wa
</Replace>
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
<a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure minimum PIN length for startup&quot;.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -351,6 +374,8 @@ This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure m
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name:<em>Configure minimum PIN length for startup</em></li>
@ -358,6 +383,7 @@ ADMX Info:
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -397,9 +423,14 @@ Disabling the policy will let the system choose the default behaviors. If you wa
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**
This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure pre-boot recovery message and URL&quot; (PrebootRecoveryInfo_Name).
<!--/Policy-->
<!--Policy-->
<a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure pre-boot recovery message and URL&quot;
(PrebootRecoveryInfo_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -420,6 +451,8 @@ This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure p
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Configure pre-boot recovery message and URL</em></li>
@ -427,6 +460,7 @@ ADMX Info:
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -445,6 +479,7 @@ Sample value for this node to enable this policy is:
```xml
<enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/>
```
<!--SupportedValues-->
The possible values for &#39;xx&#39; are:
- 0 = Empty
@ -453,7 +488,7 @@ The possible values for &#39;xx&#39; are:
- 3 = Custom recovery URL is set.
- 'yy' = string of max length 900.
- 'zz' = string of max length 500.
<!--/SupportedValues-->
> [!NOTE]
> When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
@ -478,9 +513,13 @@ Disabling the policy will let the system choose the default behaviors. If you w
> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
<a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how BitLocker-protected operating system drives can be recovered&quot; (OSRecoveryUsage_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -501,6 +540,8 @@ This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Choose how BitLocker-protected operating system drives can be recovered</em></li>
@ -508,6 +549,7 @@ ADMX Info:
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -536,7 +578,7 @@ Sample value for this node to enable this policy is:
```xml
<enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/>
```
<!--SupportedValues-->
The possible values for &#39;xx&#39; are:
- true = Explicitly allow
- false = Policy not set
@ -549,7 +591,7 @@ The possible values for &#39;yy&#39; are:
The possible values for &#39;zz&#39; are:
- 2 = Store recovery passwords only
- 1 = Store recovery passwords and key packages
<!--/SupportedValues-->
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
@ -568,9 +610,13 @@ Disabling the policy will let the system choose the default behaviors. If you wa
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
<a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how BitLocker-protected fixed drives can be recovered&quot; ().
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -591,6 +637,8 @@ This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Choose how BitLocker-protected fixed drives can be recovered</em></li>
@ -598,6 +646,7 @@ ADMX Info:
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Fixed Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -627,7 +676,7 @@ Sample value for this node to enable this policy is:
```xml
<enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/>
```
<!--SupportedValues-->
The possible values for &#39;xx&#39; are:
<ul>
<li>true = Explicitly allow</li>
@ -647,7 +696,7 @@ The possible values for &#39;zz&#39; are:
<li>2 = Store recovery passwords only</li>
<li>1 = Store recovery passwords and key packages</li>
</ul>
<!--/SupportedValues-->
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
@ -666,9 +715,13 @@ Disabling the policy will let the system choose the default behaviors. If you wa
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
<a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write access to fixed drives not protected by BitLocker&quot; (FDVDenyWriteAccess_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -689,6 +742,8 @@ This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Deny write access to fixed drives not protected by BitLocker</em></li>
@ -696,6 +751,7 @@ ADMX Info:
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Fixed Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -728,9 +784,13 @@ If you disable or do not configure this setting, all fixed data drives on the co
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
<a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write access to removable drives not protected by BitLocker&quot; (RDVDenyWriteAccess_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -751,6 +811,8 @@ This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Deny write access to removable drives not protected by BitLocker</em></li>
@ -758,6 +820,7 @@ ADMX Info:
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Removeable Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -777,13 +840,13 @@ Sample value for this node to enable this policy is:
```xml
<enabled/><data id="RDVCrossOrg" value="xx"/>
```
<!--SupportedValues-->
The possible values for &#39;xx&#39; are:
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
<!--/SupportedValues-->
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
@ -800,17 +863,18 @@ Disabling the policy will let the system choose the default behaviors. If you wa
</Item>
</Replace>
```
<!--/Policy-->
<!--Policy-->
<a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**
<!--Description-->
Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.
<!--/Description-->
> [!IMPORTANT]
> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview).
> [!Warning]
> When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows.
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -831,12 +895,13 @@ Allows the admin to disable the warning prompt for other disk encryption on the
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.
- 1 (default) Warning prompt allowed.
<!--/SupportedValues-->
```xml
<Replace>
<CmdID>110</CmdID>
@ -846,7 +911,6 @@ The following list shows the supported values:
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
@ -861,22 +925,24 @@ The following list shows the supported values:
>3. The user's personal OneDrive (MDM/MAM only).
>
>Encryption will wait until one of these three locations backs up successfully.
<a href="" id="allowstandarduserencryption"></a>**AllowStandardUserEncryption**
<!--/Policy-->
<!--Policy-->
<a href="" id="allowstandarduserencryption"></a>**AllowStandardUserEncryption**
<!--Description-->
Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
<!--/Description-->
> [!NOTE]
> This policy is only supported in Azure AD accounts.
"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced.
If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.
<!--SupportedValues-->
The expected values for this policy are:
- 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
- 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive.
<!--/SupportedValues-->
If you want to disable this policy use the following SyncML:
```xml
@ -893,9 +959,18 @@ If you want to disable this policy use the following SyncML:
</Item>
</Replace>
```
<!--/Policy-->
<!--Policy-->
<a href="" id="configurerecoverypasswordrotation"></a>**ConfigureRecoveryPasswordRotation**
<!--Description-->
This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting will refresh the specific recovery password that was used, and other unused passwords on the volume will remain unchanged. If the initialization of the refresh fails, the device will retry the refresh during the next reboot. When password refresh is initiated, the client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed. This setting refreshes only the used key and retains other unused keys.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -916,15 +991,28 @@ This setting initiates a client-driven recovery password refresh after an OS dri
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
Value type is int. Supported operations are Add, Delete, Get, and Replace.
<!--SupportedValues-->
Supported values are:
- 0 Refresh off (default)
- 1 Refresh on for Azure AD-joined devices
- 2 Refresh on for both Azure AD-joined and hybrid-joined devices
<!--/SupportedValues-->
<!--/Policy-->
<!--Policy-->
<a href="" id="rotaterecoverypasswords"></a>**RotateRecoveryPasswords**
<!--Description-->
This setting refreshes all recovery passwords for OS and fixed drives (removable drives are not included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. In case of errors, an error code will be returned so that server can take appropriate action to remediate.
<!--/Description-->
The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure.
@ -937,6 +1025,7 @@ Recovery password refresh will only occur for devices that are joined to Azure A
Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request.
- RotateRecoveryPasswordsRequestID: Returns request ID of last request processed.
- RotateRecoveryPasswordsRotationStatus: Returns status of last request processed.
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -957,14 +1046,21 @@ Each server-side recovery key rotation is represented by a request ID. The serve
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
Value type is string. Supported operation is Execute. Request ID is expected as a parameter.
<a href="" id="status"></a>**Status**
Interior node. Supported operation is Get.
<a href="" id="status-deviceencryptionstatus"></a>**Status/DeviceEncryptionStatus**
This node reports compliance state of device encryption on the system.
<!--/Policy-->
<!--Policy-->
<a href="" id="status-deviceencryptionstatus"></a>**Status/DeviceEncryptionStatus**
<!--Description-->
This node reports compliance state of device encryption on the system.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -985,15 +1081,25 @@ This node reports compliance state of device encryption on the system.
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--SupportedValues-->
Supported values:
- 0 - Indicates that the device is compliant.
- Any other value represents a non-compliant device.
<!--/SupportedValues-->
Value type is int. Supported operation is Get.
<!--/Policy-->
<!--Policy-->
<a href="" id="status-rotaterecoverypasswordsstatus"></a>**Status/RotateRecoveryPasswordsStatus**
<!--Description-->
This node reports the status of RotateRecoveryPasswords request.
<!--/Description-->
Status code can be one of the following:
@ -1001,6 +1107,7 @@ Status code can be one of the following:
- 1 - Pending
- 0 - Pass
- Any other code - Failure HRESULT
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -1021,11 +1128,21 @@ Status code can be one of the following:
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
Value type is int. Supported operation is Get.
<!--/Policy-->
<!--Policy-->
<a href="" id="status-rotaterecoverypasswordsrequestid"></a>**Status/RotateRecoveryPasswordsRequestID**
<!--Description-->
This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -1046,6 +1163,9 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
Value type is string. Supported operation is Get.
### SyncML example
@ -1210,4 +1330,5 @@ The following example is provided to show proper format and should not be taken
<Final/>
</SyncBody>
</SyncML>
```
```
<!--/Policy-->

2
windows/client-management/mdm/certificate-authentication-device-enrollment.md
View File

@ -15,7 +15,7 @@ ms.date: 06/26/2017
# Certificate authentication device enrollment
This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
> **Note**  To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107).

3
windows/client-management/mdm/dmclient-csp.md
View File

@ -264,7 +264,8 @@ Optional. Number of days after last successful sync to unenroll.
Supported operations are Add, Delete, Get, and Replace. Value type is integer.
<a href="" id="provider-providerid-aadsenddevicetoken"></a>**Provider/*ProviderID*/AADSendDeviceToken**
Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained.
Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.

99
windows/client-management/mdm/eap-configuration.md
View File

@ -1,6 +1,6 @@
---
title: EAP configuration
description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, plus info about EAP certificate filtering in Windows 10.
description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10.
ms.assetid: DD3F2292-4B4C-4430-A57F-922FED2A8FAE
ms.reviewer:
manager: dansimp
@ -15,46 +15,46 @@ ms.date: 06/26/2017
# EAP configuration
The topic provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile and information about EAP certificate filtering in Windows 10.
This article provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including information about EAP certificate filtering in Windows 10.
## Create an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile
## Create an EAP configuration XML for a VPN profile
Here is an easy way to get the EAP configuration from your desktop using the rasphone tool that is shipped in the box.
To get the EAP configuration from your desktop using the rasphone tool that is shipped in the box:
1. Run rasphone.exe.
![vpnv2 rasphone](images/vpnv2-csp-rasphone.png)
2. If you don't currently have any VPN connections and you see the following message, click **OK**.
1. If you don't currently have a VPN connection and you see the following message, select **OK**.
![vpnv2 eap configuration](images/vpnv2-csp-networkconnections.png)
3. Select **Workplace network** in the wizard.
1. In the wizard, select **Workplace network**.
![vpnv2 eap configuration](images/vpnv2-csp-setupnewconnection.png)
4. Enter any dummy information for the internet address and connection name. These can be fake since it does not impact the authentication parameters.
1. Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters.
![vpnv2 eap configuration](images/vpnv2-csp-setupnewconnection2.png)
5. Create a fake VPN connection. In the UI shown below, click **Properties**.
1. Create a fake VPN connection. In the UI shown here, select **Properties**.
![vpnv2 eap configuration](images/vpnv2-csp-choosenetworkconnection.png)
6. In the **Test Properties** dialog, click the **Security** tab.
1. In the **Test Properties** dialog, select the **Security** tab.
![vpnv2 eap configuration](images/vpnv2-csp-testproperties.png)
7. In the **Security** tab, select **Use Extensible Authentication Protocol (EAP)** radio button.
1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**.
![vpnv2 eap configuration](images/vpnv2-csp-testproperties2.png)
8. From the drop down menu, select the EAP method that you want to configure. Then click **Properties** to configure as needed.
1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed.
![vpnv2 eap configuration](images/vpnv2-csp-testproperties3.png)![vpnv2 eap configuration](images/vpnv2-csp-testproperties4.png)
9. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
```powershell
Get-VpnConnection -Name Test
@ -88,7 +88,7 @@ Here is an easy way to get the EAP configuration from your desktop using the ras
$a.EapConfigXmlStream.InnerXml
```
Here is an example output
Here is an example output.
```xml
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.co
@ -106,7 +106,8 @@ Here is an easy way to get the EAP configuration from your desktop using the ras
/></FilteringInfo></TLSExtensions></EapType></Eap></Config></EapHostConfig>
```
**Note**  You should check with MDM vendor if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
> [!NOTE]
> You should check with mobile device management (MDM) vendor if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
- C:\\Windows\\schemas\\EAPHost
- C:\\Windows\\schemas\\EAPMethods
@ -115,46 +116,45 @@ Here is an easy way to get the EAP configuration from your desktop using the ras
## EAP certificate filtering
In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate.
In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you might see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria so that it matches only one certificate.
Enterprises deploying certificate based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This can lead to issues such as:
Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can encounter a situation where there are multiple certificates that meet the default criteria for authentication. This can lead to issues such as:
- The user may be prompted to select the certificate.
- The wrong certificate may get auto selected and cause an authentication failure.
- The user might be prompted to select the certificate.
- The wrong certificate might be auto-selected and cause an authentication failure.
A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication.
A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication.
EAP XML must be updated with relevant information for your environment This can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
EAP XML must be updated with relevant information for your environment. This can be done manually by editing the following XML sample, or by using the step-by-step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
- For Wi-Fi, look for the `<EAPConfig>` section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under `<EAPConfig>` with your updated XML and update your Wi-Fi profile. You might need to refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
- For Wi-Fi, look for the `<EAPConfig>` section of your current WLAN Profile XML. (This is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags you will find the complete EAP configuration. Replace the section under `<EAPConfig>` with your updated XML and update your Wi-Fi profile. You can refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP configuration is a separate field in the MDM configuration. Work with your MDM provider to identify and update the appropriate field.
For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>
For information about EAP settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>.
For information about generating an EAP XML, see EAP configuration
For information about generating an EAP XML, see the EAP configuration article.
For more information about extended key usage, see <http://tools.ietf.org/html/rfc5280#section-4.2.1.12>
For more information about extended key usage (EKU), see <http://tools.ietf.org/html/rfc5280#section-4.2.1.12>.
For information about adding extended key usage (EKU) to a certificate, see <https://technet.microsoft.com/library/cc731792.aspx>
For information about adding EKU to a certificate, see <https://technet.microsoft.com/library/cc731792.aspx>.
The following list describes the prerequisites for a certificate to be used with EAP:
- The certificate must have at least one of the following EKU (Extended Key Usage) properties:
- The certificate must have at least one of the following EKU properties:
- Client Authentication
- As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2
- Any Purpose
- An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose
- As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes.
- The user or the computer certificate on the client chains to a trusted root CA
- Client Authentication. As defined by RFC 5280, this is a well-defined OID with value 1.3.6.1.5.5.7.3.2.
- Any Purpose. This is an EKU defined and published by Microsoft, and is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose. As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an EKU value of 0. A certificate with such an EKU can be used for all purposes.
- The user or the computer certificate on the client must chain to a trusted root CA.
- The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
- The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
The following XML sample explains the properties for the EAP TLS XML including certificate filtering.
The following XML sample explains the properties for the EAP TLS XML, including certificate filtering.
> **Note**  For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements.
> [!NOTE]
> For PEAP or TTLS profiles, the EAP TLS XML is embedded within some PEAP-specific or TTLS-specific elements.
 
@ -257,35 +257,38 @@ The following XML sample explains the properties for the EAP TLS XML including c
</EapHostConfig>
```
> **Note**  The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd**
> [!NOTE]
> The EAP TLS XSD is located at %systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd.
 
Alternately you can use the following procedure to create an EAP Configuration XML.
Alternatively, you can use the following procedure to create an EAP configuration XML:
1. Follow steps 1 through 7 in the EAP configuration topic.
2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.)
1. Follow steps 1 through 7 in the EAP configuration article.
1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this selects EAP TLS).
![vpn self host properties window](images/certfiltering1.png)
**Note**  For PEAP or TTLS, select the appropriate method and continue following this procedure.
> [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure.
 
3. Click the **Properties** button underneath the drop down menu.
4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
1. Select the **Properties** button underneath the drop-down menu.
1. On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
![smart card or other certificate properties window](images/certfiltering2.png)
5. In the **Configure Certificate Selection** menu, adjust the filters as needed.
1. On the **Configure Certificate Selection** menu, adjust the filters as needed.
![configure certificate window](images/certfiltering3.png)
6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
7. Close the rasphone dialog box.
8. Continue following the procedure in the EAP configuration topic from Step 9 to get an EAP TLS profile with appropriate filtering.
1. Select **OK** to close the windows and get back to the main rasphone.exe dialog box.
1. Close the rasphone dialog box.
1. Continue following the procedure in the EAP configuration article from step 9 to get an EAP TLS profile with appropriate filtering.
> **Note**  You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic.
> [!NOTE]
> You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) article.
 

16
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -49,10 +49,14 @@ The following steps demonstrate required settings using the Intune service:
![Intune license verification](images/auto-enrollment-intune-license-verification.png)
2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal).
Also verify that the **MAM user scope** is set to **None**. Otherwise, it will have precedence over the MDM scope that will lead to issues.
![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png)
> [!IMPORTANT]
> For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
> For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
3. Verify that the device OS version is Windows 10, version 1709 or later.
4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line.
@ -62,7 +66,7 @@ Also verify that the **MAM user scope** is set to **None**. Otherwise, it will h
Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**.
![Auto-enrollment azure AD prt verification](images/auto-enrollment-azureadprt-verification.png)
![Auto-enrollment Azure AD prt verification](images/auto-enrollment-azureadprt-verification.png)
This information can also be found on the Azure AD device list.
@ -116,9 +120,6 @@ Requirements:
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have the Windows 10, version 1903 feature update installed.
The default behavior for older releases is to revert to **User Credential**.
> [!NOTE]
> Device credential group policy setting is not supported for enrolling into Microsoft Intune.
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
@ -170,7 +171,7 @@ Requirements:
> 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or
> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or
> 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
> 2. Install the package on the Primary Domain Controller (PDC).
> 2. Install the package on the Domain Controller.
> 3. Navigate, depending on the version to the folder:
> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or
> 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or
@ -178,14 +179,13 @@ Requirements:
> 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
> 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**.
> (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain).
> 6. Restart the Primary Domain Controller for the policy to be available.
> 6. Restart the Domain Controller for the policy to be available.
> This procedure will work for any future version as well.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
2. Create a Security Group for the PCs.
3. Link the GPO.
4. Filter using Security Groups.
5. Enforce a GPO link.
## Troubleshoot auto-enrollment of devices

2
windows/client-management/mdm/federated-authentication-device-enrollment.md
View File

@ -19,7 +19,7 @@ This section provides an example of the mobile device enrollment protocol using
The &lt;AuthenticationServiceURL&gt; element the discovery response message specifies web authentication broker page start URL.
For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
## In this topic

85
windows/client-management/mdm/implement-server-side-mobile-application-management.md
View File

@ -1,6 +1,6 @@
---
title: Provide server-side support for mobile app management on Windows
description: The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices.
title: Implement server-side support for mobile application management on Windows
description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -16,21 +16,21 @@ manager: dansimp
The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703.
## Integration with Azure Active Directory
## Integration with Azure AD
MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md). 
MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users personal devices will be enrolled to MAM or MDM depending on the users actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users personal devices will be enrolled to MAM or MDM, depending on the users actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings>Accounts>Access work or school**.
On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
Regular non-admin users can enroll to MAM. 
## Integration with Windows Information Protection
MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip) and WIP-aware applications. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf. 
MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf. 
To make applications WIP-aware, app developers need to include the following data in the app resource file:
To make applications WIP-aware, app developers need to include the following data in the app resource file.
``` syntax
// Mark this binary as Allowed for WIP (EDP) purpose 
@ -42,20 +42,20 @@ To make applications WIP-aware, app developers need to include the following dat
## Configuring an Azure AD tenant for MAM enrollment
MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the Management app for an IT admin configuration. 
MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration. 
![Mobile application management app](images/implement-server-side-mobile-application-management.png)
MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured. 
## MAM enrollment
## MAM enrollment
MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](https://msdn.microsoft.com/library/mt221945.aspx). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method. 
Below are protocol changes for MAM enrollment: 
- MDM discovery is not supported
- APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional
- MAM enrollment variation of [MS-MDE2] protocol does not support the client authentication certificate, and therefore, does not support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication.
- MDM discovery is not supported.
- APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional.
- MAM enrollment variation of [MS-MDE2] protocol does not support the client authentication certificate, and therefore does not support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication.
Here is an example provisioning XML for MAM enrollment.
@ -73,39 +73,36 @@ Here is an example provisioning XML for MAM enrollment.
Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isnt provided above, the device would default to once every 24 hours.
## Supported Configuration Service Providers (CSPs)
## Supported CSPs
MAM on Windows support the following CSPs. All other CSPs will be blocked. Note the list may change later based on customer feedback.
MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback:
- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps
- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs
- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703)
- [DevInfo CSP](devinfo-csp.md)
- [DMAcc CSP](dmacc-csp.md)
- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL
- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies
- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703)
- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management
- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas
- [Reporting CSP](reporting-csp.md) for retrieving WIP logs
- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md)
- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM
- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM
- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps.
- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
- [DevInfo CSP](devinfo-csp.md).
- [DMAcc CSP](dmacc-csp.md).
- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL.
- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies.
- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management.
- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas.
- [Reporting CSP](reporting-csp.md) for retrieving WIP logs.
- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md).
- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
## Device lock policies and EAS
MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP.
We do not recommend configuring both Exchange Active Sync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows:
We do not recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows:
<ol>
<li>When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies and reports compliance to EAS:</li><ul>
<li>If the device is found to be compliant, EAS will report compliance to the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance does not require device admin rights.</li>
<li>If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights.</li>
</ul>
<li>If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM, EAS, and the resultant set of policies will be a superset of both.</li>
</ol>
- When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies and reports compliance to EAS.
- If the device is found to be compliant, EAS will report compliance to the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance does not require device admin rights.
- If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights.
- If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM and EAS, and the resultant set of policies will be a superset of both.
## Policy sync
@ -115,20 +112,18 @@ MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to
Windows does not support applying both MAM and MDM policies to the same devices. If configured by the admin, a user can change his MAM enrollment to MDM.
> [!Note]
> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On the Home edition, we do not recommend pushing MDM policies to enable users to upgrade.
> [!NOTE]
> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we do not recommend pushing MDM policies to enable users to upgrade.
To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment.
In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when WIP policies are removed from the device, the users access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
<ol>
<li>Both MAM and MDM policies for the organization support WIP</li>
<li>EDP CSP Enterprise ID is the same for both MAM and MDM</li>
<li>EDP CSP RevokeOnMDMHandoff is set to FALSE</li>
</ol>
- Both MAM and MDM policies for the organization support WIP.
- EDP CSP Enterprise ID is the same for both MAM and MDM.
- EDP CSP RevokeOnMDMHandoff is set to false.
If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings>Accounts>Access work or school**. The user can click on this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account will not be affected.
If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account will not be affected.
## Skype for Business compliance with MAM
@ -164,7 +159,7 @@ We have updated Skype for Business to work with MAM. The following table explain
<td>October 10 2017</td>
<td>Office 365 ProPlus</td>
</tr><tr>
<td><a href="https://technet.microsoft.com/library/mt455210.aspx#BKMK_FRCBB" data-raw-source="[First release for deferred channel](https://technet.microsoft.com/library/mt455210.aspx#BKMK_FRCBB)">First release for deferred channel</a></td>
<td><a href="https://technet.microsoft.com/library/mt455210.aspx#BKMK_FRCBB" data-raw-source="[First release for deferred channel](https://technet.microsoft.com/library/mt455210.aspx#BKMK_FRCBB)">First release for Deferred channel</a></td>
<td>Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. </td>
<td>June 13 2017</td>
<td></td>

2
windows/client-management/mdm/mobile-device-enrollment.md
View File

@ -34,7 +34,7 @@ The enrollment process includes the following steps:
## Enrollment protocol
There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
The enrollment process involves the following steps:

2
windows/client-management/mdm/on-premise-authentication-device-enrollment.md
View File

@ -14,7 +14,7 @@ ms.date: 06/26/2017
# On-premises authentication device enrollment
This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
## In this topic

25
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -15,6 +15,8 @@ ms.date: 07/18/2019
# Policy CSP
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies.
@ -198,6 +200,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata" id="applicationmanagement-allowshareduserappdata">ApplicationManagement/AllowSharedUserAppData</a>
</dd>
<dd>
<a href="./policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall"id="applicationmanagement-blocknonadminuserinstall">ApplicationManagement/BlockNonAdminUserInstall</a>
</dd>
<dd>
<a href="./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps" id="applicationmanagement-disablestoreoriginatedapps">ApplicationManagement/DisableStoreOriginatedApps</a>
</dd>
@ -612,6 +617,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-bluetooth.md#bluetooth-servicesallowedlist" id="bluetooth-servicesallowedlist">Bluetooth/ServicesAllowedList</a>
</dd>
<dd>
<a href="./policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize"id=bluetooth-setminimumencryptionkeysize>Bluetooth/SetMinimumEncryptionKeySize</a>
</dd>
</dl>
### Browser policies
@ -3325,6 +3333,23 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-storage.md#storage-allowdiskhealthmodelupdates" id="storage-allowdiskhealthmodelupdates">Storage/AllowDiskHealthModelUpdates</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-allowstoragesenseglobal"id="storage-allowstoragesenseglobal">Storage/AllowStorageSenseGlobal</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup"id="storage-allowstoragesensetemporaryfilescleanup">Storage/AllowStorageSenseTemporaryFilesCleanup</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold"id="storage-configstoragesensecloudcontentdehydrationthreshold">Storage/ConfigStorageSenseCloudContentDehydrationThreshold</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold"id="storage-configstoragesensedownloadscleanupthreshold">Storage/ConfigStorageSenseDownloadsCleanupThreshold</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-configstoragesenseglobalcadence"id="storage-configstoragesenseglobalcadence">Storage/ConfigStorageSenseGlobalCadence</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-configstoragesenserecyclebincleanupthreshold"id="storage-configstoragesenserecyclebincleanupthreshold">Storage/ConfigStorageSenseRecycleBinCleanupThreshold</a>
<dd>
<a href="./policy-csp-storage.md#storage-enhancedstoragedevices" id="storage-enhancedstoragedevices">Storage/EnhancedStorageDevices</a>
</dd>

3
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -232,6 +232,9 @@ Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "
> [!NOTE]
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
> [!NOTE]
> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:

83
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.date: 02/11/2020
ms.reviewer:
manager: dansimp
---
@ -39,6 +39,9 @@ manager: dansimp
<dd>
<a href="#applicationmanagement-allowshareduserappdata">ApplicationManagement/AllowSharedUserAppData</a>
</dd>
<dd>
<a href="#applicationmanagement-blocknonadminuserinstall">ApplicationManagement/BlockNonAdminUserInstall</a>
</dd>
<dd>
<a href="#applicationmanagement-disablestoreoriginatedapps">ApplicationManagement/DisableStoreOriginatedApps</a>
</dd>
@ -414,6 +417,83 @@ Most restricted value: 0
<hr/>
<!--Policy-->
<a href="" id="applicationmanagement-blocknonadminuserinstall"></a>**ApplicationManagement/BlockNonAdminUserInstall**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in the next major release of Windows 10.
Manages non-administrator users' ability to install Windows app packages.
If you enable this policy, non-administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies.
If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Prevent non-admin users from installing packaged Windows apps*
- GP name: *BlockNonAdminUserInstall*
- GP path: *Windows Components/App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - Disabled. All users will be able to initiate installation of Windows app packages.
- 1 - Enabled. Non-administrator users will not be able to initiate installation of Windows app packages.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="applicationmanagement-disablestoreoriginatedapps"></a>**ApplicationManagement/DisableStoreOriginatedApps**
@ -1032,6 +1112,7 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in the next major release of Windows 10.
<!--/Policies-->

75
windows/client-management/mdm/policy-csp-bluetooth.md
View File

@ -7,14 +7,15 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.date: 02/12/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - Bluetooth
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -40,6 +41,9 @@ manager: dansimp
<dd>
<a href="#bluetooth-servicesallowedlist">Bluetooth/ServicesAllowedList</a>
</dd>
<dd>
<a href="#bluetooth-setminimumencryptionkeysize">Bluetooth/SetMinimumEncryptionKeySize</a>
</dd>
</dl>
@ -390,6 +394,72 @@ The default value is an empty string. For more information, see [ServicesAllowed
<!--/Description-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="bluetooth-setminimumencryptionkeysize"></a>**Bluetooth/SetMinimumEncryptionKeySize**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in the next major release of Windows 10.
There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - All Bluetooth traffic is allowed.
- N - A number from 1 through 16 representing the bytes that must be used in the encryption process. Currently, 16 is the largest allowed value for N and 16 bytes is the largest key size that Bluetooth supports. If you want to enforce Windows to always use Bluetooth encryption, ignoring the precise encryption key strength, use 1 as the value for N.
For more information on allowed key sizes, refer to Bluetooth Core Specification v5.1.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
Footnotes:
@ -400,6 +470,7 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in the next major release of Windows 10.
<!--/Policies-->

4
windows/client-management/mdm/policy-csp-system.md
View File

@ -307,6 +307,10 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Disabled.
- 1 Allowed.
<!--/SupportedValues-->
<!--Example-->

1
windows/client-management/mdm/vpnv2-profile-xsd.md
View File

@ -194,7 +194,6 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
<NativeProtocolType>IKEv2</NativeProtocolType>
<Authentication>
<UserMethod>Eap</UserMethod>
<MachineMethod>Eap</MachineMethod>
<Eap>
<Configuration>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">

46
windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md Normal file
View File

@ -0,0 +1,46 @@
---
title: Stop error occurs when you update the in-box Broadcom network adapter driver
description: Describes an issue that causes a stop error when you update an in-box Broadcom driver on Windows Server 2019, version 1809.
author: Teresa-Motiv
ms.author: v-tea
ms.date: 2/3/2020
ms.prod: w10
ms.topic: article
ms.custom:
- CI 113175
- CSSTroubleshooting
audience: ITPro
ms.localizationpriority: medium
keywords:
manager: kaushika
---
# Stop error occurs when you update the in-box Broadcom network adapter driver
This issue affects computers that meet the following criteria:
- The operating system is Windows Server 2019, version 1809.
- The network adapter is a Broadcom NX1 Gigabit Ethernet network adapter.
- The number of logical processors is large (for example, a computer that has more than 38 logical processors).
On such a computer, when you update the in-box Broadcom network adapter driver to a later version, the computer experiences a Stop error (also known as a blue screen error or bug check error).
## Cause
The operating system media for Windows Server 2019, version 1809, contains version 17.2 of the Broadcom NIC driver. When you upgrade this driver to a later version, the process of uninstalling the version 17.2 driver generates an error. This is a known issue.
This issue was resolved in Windows Server 2019 version 1903. The operating system media use a later version of the Broadcom network adapter driver.
## Workaround
To update the Broadcom network adapter driver on an affected computer, follow these steps:
> [!NOTE]
> This procedure describes how to use Device Manager to disable and re-enable the Broadcom network adapter. Alternatively, you can use the computer BIOS to disable and re-enable the adapter. For specific instructions, see your OEM BIOS configuration guide.
1. Download the driver update to the affected computer.
1. Open Device Manager, and then select the Broadcom network adapter.
1. Right-click the adapter and then select **Disable device**.
1. Right-click the adapter again and then select **Update driver** > **Browse my computer for driver software**.
1. Select the update that you downloaded, and then start the update.
1. After the update finishes, right-click the adapter and then select **Enable device**.

2
windows/client-management/troubleshoot-stop-errors.md
View File

@ -59,7 +59,7 @@ To troubleshoot Stop error messages, follow these general steps:
3. Run the [Machine Memory Dump Collector](https://home.diagnostics.support.microsoft.com/selfhelp?knowledgebasearticlefilter=2027760&wa=wsignin1.0) Windows diagnostic package. This diagnostic tool is used to collect machine memory dump files and check for known solutions.
4. Run [Microsoft Safety Scanner](http://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections.
4. Run [Microsoft Safety Scanner](https://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections.
5. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 1015 percent free disk space.

4
windows/client-management/troubleshoot-windows-freeze.md
View File

@ -251,7 +251,7 @@ If the physical computer is still running in a frozen state, follow these steps
Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag.
Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](http://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx).
Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](https://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx).
### Use memory dump to collect data for the virtual machine that's running in a frozen state
@ -284,4 +284,4 @@ On Windows Server 2008, you may not have enough free disk space to generate a co
Additionally, on Windows Server 2008 Service Pack (SP2), there's a second option if the system drive doesn't have sufficient space. Namely, you can use the DedicatedDumpFile registry entry. To learn how to use the registry entry, see [New behavior in Windows Vista and Windows Server 2008](https://support.microsoft.com/help/969028).
For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](http://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx).
For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](https://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx).

4
windows/client-management/troubleshoot-windows-startup.md
View File

@ -7,7 +7,7 @@ ms.topic: troubleshooting
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
ms.date:
ms.date: 2/3/2020
ms.reviewer:
manager: dansimp
---
@ -51,3 +51,5 @@ These articles will walk you through the resources you need to troubleshoot Wind
- [Advanced troubleshooting for Stop error or blue screen error](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors)
- [Advanced troubleshooting for Windows-based computer freeze issues](https://docs.microsoft.com/windows/client-management/troubleshoot-windows-freeze)
- [Stop error occurs when you update the in-box Broadcom network adapter driver](troubleshoot-stop-error-on-broadcom-driver-update.md)